Fail2ban初识
????Fail2ban就是一款軟件,一般主要是通過監控分析日志來更新防火墻規則從而拒絕一些IP地址達到保護服務器的目的。比如嘗試后臺密碼,尋×××器漏洞等。
????安裝需求:Python2.4版本以上,防火墻軟件一種iptables或者shorewall。
????安裝方法:ubuntu14.04
????????sudo apt-get install fail2ban
????理解幾個關鍵詞語:
????????filter:用來定義一系列正則表達式去匹配log中的內容,實際上可理解為一個過濾器;
????????action:用來定義一些列命令用以在不同的情況下執行,就是一個執行動作
????????jail:這個就是用來把一個filter和一個或者諾干個action結合起來,每當log中有filter能匹配就去執行action,這可以說是fail2ban這個軟件的基本原理。
????????client:對應fail2ban-client這個腳本命令
????????server:對應fail2ban-server這個腳本命令
????Fail2ban分為兩個部分:服務端和客戶端,服務端是一個多線程的,監聽命令的socket,本身對配置文件是沒有任何聯系的,而客戶端是Fail2ban的前端,它連接到服務端的socket負責讀取配置文件并且發送配置文件中的命令給服務端。
????fail2ban-server???????
????????-b?????????????????? start in background
????????-f?????????????????? start in foreground
????????-s <FILE>??????????? socket path
????????-x?????????????????? force execution of the server
????????-h, --help?????????? display this help message
????????-V, --version??????? print the version
????fail2ban-client
????????-c <DIR>??????????????? configuration directory
????????-s <FILE>?????????????? socket path
????????-d????????????????????? dump configuration. For debugging 備份配置文件
????????-i????????????????????? interactive mode
????????-v????????????????????? increase verbosity
????????-q????????????????????? decrease verbosity
????????-x????????????????????? force execution of the server
????????-h, --help????????????? display this help message
????????-V, --version?????????? print the version
????fail2ban-client start????
????fail2ban-client reload????重新加載配置文件
????fail2ban-client status [jailname]????查看jail狀態
????配置文件目錄:
????????/etc/fail2ban/
├── action.d
│?? ├── dummy.conf
│?? ├── hostsdeny.conf
│?? ├── iptables.conf
│?? ├── mail-whois.conf
│?? ├── mail.conf
│?? └── shorewall.conf
├── fail2ban.conf
├── fail2ban.local
├── filter.d
│?? ├── apache-auth.conf
│?? ├── apache-noscript.conf
│?? ├── couriersmtp.conf
│?? ├── postfix.conf
│?? ├── proftpd.conf
│?? ├── qmail.conf
│?? ├── sasl.conf
│?? ├── sshd.conf
│?? └── vsftpd.conf
├── jail.conf
└── jail.local
????一般配置:
????jails:(舉例)
????????[ssh-iptables]
????????#enabled? = false????
????????enabled? = true????代表開啟這個jail
????????filter?? = sshd????代表結合的filter過濾器,在/etc/fail2ban/filter.d目錄下
????????action?? = iptables[name=SSH, port=ssh, protocol=tcp]????代表結合的執行動作,在/etc/fail2ban/action.d下
????????#????????? mail-whois[name=SSH, dest=yourmail@mail.com]
????????#logpath? = /var/log/sshd.log????代表監控的日志路徑
????????logpath? = /var/log/auth.log
????????maxretry = 5????代表最大的嘗試次數,一旦filter匹配上的超過這個次數將會執行action
????????findtime????表示在這個時間段內發生的匹配次數,如果沒有達到action的執行條件則會重新歸零,單位是s
????????bantime????代表IP地址被ban住的時間,負數代表永久,單位是s
????Filters:(舉例)
????????failregex = Authentication failure for .* from <HOST>
??????????? ????????Failed [-/\w]+ for .* from <HOST>
??????????? ????????ROOT LOGIN REFUSED .* FROM <HOST>
??????????? ????????[iI](?:llegal|nvalid) user .* from <HOST>????這就是匹配日志的正則表達式
????actions:(舉例)
??????? [INCLUDES]
????????before = iptables-blocktype.conf
????????[Definition]
????????actionstart = iptables -N fail2ban-<name>
????????????? iptables -A fail2ban-<name> -j RETURN
????????????? iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
???????????? actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
???????????? iptables -F fail2ban-<name>
???????????? iptables -X fail2ban-<name>
????????actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
????????actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
????????actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
????????[Init]
????????name = default
????????port = ssh
????????protocol = tcp
????????chain = INPUT
????????fail2ban-regex "line" "failregex"????進行語法檢查的格式
????????(舉例)
????????fail2ban-regex /var/log/auth.log "Failed [-/\w]+ for .* from <HOST>"
????????解除ban住的IP可用命令:fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE(本人測試過沒有問題,可能版本或者系統不同會有差異)
????????
????????
轉載于:https://blog.51cto.com/zyzdbk/1795853
總結
以上是生活随笔為你收集整理的Fail2ban初识的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: React技术栈——webpack
- 下一篇: pInvokeStackImbalanc